Cookie-or-Pay Walls

Funding Models

Many websites rely on serving ads for their revenue model. Newspapers, such as The Washington Post, are a great example, serving ads via third party ad networks and advertisers. These ads are usually personalised to the website visitor through processing of their personal data. Non-personalised ads can be used instead, usually provided based on context, e.g. showing car ads on a car forum website. An alternative to the ad revenue is a subscription model, charging for access to the website’s content.

Personalised ads are favoured by website publishers over non-personalised ads since the website visitor is more likely to tap/click on them. Higher click volumes creates greater revenue for per-click based models and higher per-impression rates (aka “CPM”) for impression/page-view models. And from a financial perspective, an ad based model is free for the visitor, hence ads being a commonly preferred model over subscription pay walls.

Ads – The Need for Consent

Displaying ads that have been provided by a third party (e.g. Google) almost always requires some consent considerations. Firstly, consent is often required for the use of cookies (ePrivacy Directive) by the ad network which uses these for measurement, fraud prevention and other purposes, even if the ads themselves are not personalised.

Although non-personalized ads don’t use cookies or mobile ad identifiers for ad targeting, they do still use cookies or mobile ad identifiers for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Therefore, you must obtain consent to use cookies or mobile ad identifiers for those purposes where legally required, per the ePrivacy Directive in certain EEA countries.

Secondly, if behavioural-based/targeted/personalised ads are used then personal data is heavily used, so GDPR necessarily comes along, and again requires us to gain consent.

Assuming 99% of organisations will want to serve personalised ads, the consent they seek will be for this more personal data enriched form. But crucially, if a user does not consent to personalised ads, then the fall back option of non-personalised ads still requires consent.

Rise of the Cookie Wall

If your website/service is funded by ads then you clearly do not want to lose your revenue model through visitors simply not consenting.

This scenario leads to the creation of a “cookie wall” concept, which prohibits access to a website if the only option is to consent to ads.

A cookie wall means that people who want to visit a website or use an app are asked to accept cookies before they can access the website. If they do not give permission, they will not get access.

Being precise for a moment, using the Dutch regulator’s definition, a “Cookie Wall” is solely based on consent for access. There are no alternatives available. No option to pay instead.

Cookie Wall Example

The IAB Europe website (as of March 2019) contains a cookie wall. When you first land of the website, no cookies or trackers are active (as can be seen from Ghostery), and a cookie wall is shown. The “MORE INFO” button provides only that, information, and no ability to say no to cookies. The only way to get past this wall is clicking “I AGREE”, which then loads the website (and Google Analytics in non-anonymised mode).

This is very much a cookie wall as per the Dutch definition. No consent = no access.

Are Cookie Walls Permitted?

The Dutch regulator says cookie walls are not permitted.

Can I use a cookie wall as an organization?No that is not allowed. A cookie wall (cookie wall) is not permitted under the General Data Protection Regulation (AVG). That is because with a cookie wall you cannot get valid permission from your visitors or users for placing tracking cookies.

Unsurprisingly, some disagree with the Dutch view. Matthias Matthiesen from IAB Europe expressed his view on 8th March 2019 that the regulator was wrong in its opinion, when challenged by Johnny Ryan (Chief Policy & Industry Relations Officer at Brave) on Twitter.

Twitter exchange between @johnnyryan and @mmatthiesen – 7-8th March 2019

Whilst the argument for a wide sweeping prohibition on all cookie walls has its critics, I am personally of the belief that IAB Europe’s website must meet a higher standard than most in its compliance requirements. That’s not because of what the organisation represents or stands for, but that as a website visitor, I have no free choice to consider alternatives to their website. They have no competition. At least with a newspaper I have a free choice to reject cookie consent to the Washington Post and get my news from somewhere else. If I want information about IAB Europe I am required to consent to their cookies. This aspect of free choice is key in the Austrian DPA’s ruling on an Austrian newspaper’s Cookie-or-Pay Wall.

In April 2017, the EDPS supported this opinion that a no-tracking option must exist when no alternatives are available.

It is crucial that users be able to use a service without being tracked – especially by third parties and in situations where the user depends on, and has no real alternative to, using the service… Considering the importance of freely given consent, and the often insufficient implementation of the current Article 5(3) by operators of websites, the EDPS recommends a complete and explicit ban on so-called ‘tracking walls’.

The Alternative – Cookie-or-Pay Wall

Paying with money is one alternative to an ad funded model. This allows websites to offer a “no ads therefore no consent needed” alternative, as long as you pay up. The Washington Post has this model, a “Consent-or-Pay Wall” as shown below.

Here we have the “free” (no pay) model on the left where consent gives access. And on the right we have a subscription pay model that removes the need for cookie consent since it has no ads. In the middle is a blend of the two.

Note, this is not a Cookie Wall, since consent is not the only option for accessing the website. Payment can be used instead.

Are Cookie-or-Pay Walls Permitted?

The case for Cookie-or-Pay Walls is highly contentious. Some argue that the ePrivacy Directive explicitly permits them, whilst others state they directly contravenes the GDPR. Below is a growing list of analyses and opinions.

The Dutch DPA (March 2019)

In the Dutch regulator’s analysis of cookie walls, they mention payment as an alternative to a pure cookie wall mechanism.

How do I request permission as an organization without a cookie wall?

Does someone refuse tracking cookies? Then you still need to give this person access to your website or app, for example after payment.

Here we have the Dutch regulator stating that instead of using a cookie wall, when you ask for consent for cookies, if they refuse, you must provide them access, potentially after them making payment. They are stating that payment might indeed be an alternative to an ad funded (consent needed) model.

In my view, through their statement above, the Dutch DPA is permitting the use of Cookie-or-Pay Walls.

The Austrian DPA (Nov 2018)

In November 2018, the Austrian DPA permitted an Austrian newspaper to continue using a Cookie-or-Pay Wall, ruling on a complaint they had received. Below is a Google translated version of the wall. This wall is used by other websites, such as on Der Standard, e.g. at https://derstandard.at/1250691466219/Sudoku-1400b.

The UK DPA (Nov 2018)

In November 2018, the ICO expressed the view that the Cookie-or-Pay Wall used by the Washington Post (as shown above) does not comply with the GDPR.

The ICO had received a complaint from an individual, who forwarded their response to The Register. Unfortunately, The Register doesn’t provide the ICO’s response in full and much detail is missing, but the ICO’s opinion on this individual case is pretty clear.

“I am of the view that the Washington Post has not complied with their Data Protection obligations… This is because they have not given users a genuine choice and control over how their data is used… We have written to the Washington Post about their information rights practices… We have told them they should now ensure that users of the Washington Post website have the option to access all levels of subscription without having to accept cookies… We hope that the Washington Post will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter.”

Here the ICO are stating that the choice to give consent for cookies is not a free choice since the only alternative is payment (contradicting the Austrian DPA view).

Another thing to note is that The Washington Post is outside of the practical enforceable jurisdiction of the ICO, so there is little desire for the ICO to try to take action against them. Hence, in true English style, a strongly worded letter of complaint.

One aspect of this case that I find interesting is the lack of follow up or publicity from the ICO outside of this Register article. No ICO blog. No notice on their website. No confirmation that this opinion and letter from this case worker represents the official opinion of the ICO. So is this the official stance of the ICO? It’s hard to say. I have to think that if it was, they would say so elsewhere, rather than letting this opinion leak out in the press with no follow up.

For now, I would advise people take note of this ICO case worker’s opinion but don’t accept it as official ICO guidance.

EDPS – April 2017

Opinion 6/2017 – EDPS Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation)

In 2017, the EDPS produced Opinion 6/2017 – EDPS Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation) (link). In Section 3.4 they specifically discuss “tracking walls”.

Tracking walls, in effect, mean that users who do not accept tracking across other sites will be denied access to the websites that they are seeking to access.

The EDPS is defining a tracking wall in the same way as the Dutch regulator defines a Cookie Wall, i.e. no consent = no access, there is no alternative. This helps support the prohibition of Cookie Walls, but doesn’t help assess the compliance of Cookie-or-Pay Walls.

ePrivacy Regulation (Draft Direction)

As of March 2019 the ePR is still in its draft phase, releasing new iterations on an almost monthly basis. Comparing these versions give us a direction of travel for where the final version may end up. Two notable sections relate to the Cookie Wall / Cookie-or-Pay Wall scenarios, in Recitals 20-21.

In July 2018, a draft was released that added a sentence stating that payment could be deemed an appropriate alternative to ad cookie consent (Recital 20).

Making access to the website content provided without direct monetary payment conditional to the consent of the end-user to the storage and reading of cookies for additional purposes would normally not be considered disproportionate in particular if the end-user is able to choose between an offer that includes consenting to the use of cookies for additional purposes on the one hand, and an equivalent offer by the same provider that does not involve consenting to data use for additional purposes on the other hand.

Note the words “…in particular…”. In the March 2019 draft, those words are replace with “inter alia”, meaning “among other things”, which widens the example to allow for different type of alternative mechanisms. But more importantly, this long sentence on allowing Cookie-or-Pay Walls has remained in each iteration of the draft text, virtually untouched, signalling that this isn’t currently a matter for contention.

The Business Case for Walls

Any prohibition of Cookie Walls or Cookie-or-Pay Walls presents a major problem for today’s websites and apps. A large proportion of the web is based on a “freemium” model, providing premium content at zero financial cost to the user, all achieved through displaying ads that people are more inclined to click on. And these ads are almost always served by an ad provider, such as Google, that requires consent under the ePrivacy Directive. So whether these ads are personalised or not, consent is almost always required for ads.

If we accept that Cookie Walls are not GDPR compliant, then we leave websites/apps with three options:

Offer their service with no ads and thus no need for consent (This isn’t really an option for any business.)

Offer a paid alternative, as per the Cookie-or-Pay Wall (This relies on this being a compliant approach.)

Only offer “paid access”, aka “Paywall”, with no free/ad-based option. (Some newspapers have opted for this approach, but it commonly only works for the very top tier of services and high end publications.)

If you take the view that both Cookie Walls and Cookie-or-Pay Walls are not compliant then we’re stuck. We’re forcing online businesses to choose between paywalls (which are massive undesirable) or giving away their premium content for free with no revenue model (realistically, services won’t ever do this). Faced with this reality, in my view the EU regulators have no ability to formally prohibit Cookie-or-Pay Walls. It would be grossly anti-competitive, especially for smaller EU based organisations against US tech giants (which is an issue the EU are desperately trying to fight against).

A Nuanced Middle Ground

Risk or privacy invasion is at the heart of the GDPR and we should consider this in a judgement of Cookie-or-Pay Walls. Sadly, a nuanced consideration of degrees of risk has not yet been seen in opinions and rulings from regulators.

In the case of consent for ads (using Google Ads as an example), I’ve previously mentioned that consent is needed as per the ePD for cookies, even if non-personalised ads are used. And consent is needed if personal data is used for the personalised ads (ad tracking) variant. But clearly, the privacy risk is greatly reduced through the use of non-personalised ads. Yes, Google does record information about which ads you viewed, but this isn’t used for retargeting and your personal data isn’t shared with masses of third party ad tech companies or advertisers. The privacy risk is low, and the WP29 have discussed consent exemptions when the risk is low, e.g. with anonymised first party analytics.

I would argue that there is a case to suggest that Cookie Walls should be deemed compliant if they offer a non-personalised ads option.

The NPA Cookie-or-Pay Wall

This opens up the possibility of two alternatives using non-personalised ads (NPA) as another option:

The NPA Cookie-or-Pay Wall (consent for personalised ads, or consent for non-personalised ads, or pay)

The NPA Cookie-or-Pay Wall is in my view a fair balance, allowing a low privacy risk option for users and an ad based revenue model (albeit not optimal) where consent for ad tracking isn’t needed. But crucially, where a service has no alternative providers (e.g. IAB Europe), a fully no-consent-needed option is still probably required. Google provide an example of an NPA Cookie-or-Pay Wall, as shown below:

The recent drafts of the ePrivacy Regulation (as first seen in February 2019) state that the ePrivacy rules may not require consent for cookies used for ads. Note that the GDPR may still require consent for ad tracking that involves the sharing of personal data with third party ad tech providers.

In some cases the use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment may also be necessary for providing an information society service, requested by the end-user, that is wholly or mainly financed by advertising provided that, in addition, the end-user has been provided with clear, precise and user-friendly information about the purposes of cookies or similar techniques and has accepted such use.

This will be a hotly debated change and again there is a big difference between allowing non-personalised ad cookies and personalised ad cookies. ePrivacy rules are generally agnostic of personal data involvement, but they do cater for privacy risk. In turn it is quite likely that low risk non-personalised ad cookies would be much more likely to be exempt, and thus not require the consent they currently do under the ePD (and which Google demands of its publishers for NPA – see quotation below).

Although non-personalized ads don’t use cookies or mobile ad identifiers for ad targeting, they do still use cookies or mobile ad identifiers for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Therefore, you must obtain consent to use cookies or mobile ad identifiers for those purposes where legally required, per the ePrivacy Directive in certain EEA countries.

By removing the need for ePrivacy cookie consent for Non-Personalised ad cookies, we remove the conditional consent component of the NPA Cookie-or-Pay Wall, making it all the more fair.

My Outlook

It is my personal opinion that the NPA Cookie-or-Pay Wall should be the preferred approach for website publishers. And I sincerely hope the EU DPAs provide guidance that it is compliant with both the ePD and the GDPR. The ePrivacy Regulation drafts and recent official DPA guidance are showing support for this NPA Cookie-or-Pay Wall model. But frustratingly, the final version of the ePR is still some way off.

===========================================Images in this post have been kindly provided by:

Carl Gottlieb is the privacy lead and Data Protection Officer for a select group of leading tech companies. Carl’s consultancy company Cognition provides a range of privacy and security services including virtual DPO and virtual CISO.